Odoo Security - hiding buttons in XML based on groups

I have a query about some of Odoo's mechanisms that I am not able to understand at all, and would sincerely appreciate it if anyone can throw some light on the case below:

Take the module hr_holidays for example. The default case, with a single validation works like this - a regular employee applies for a leave and submits it. The employee's manager gets a notification, approves the leave and it is done.

Now, after submitting the leave request, the user cannot see the "Approve"/"Reject" button in his form view. However, the manager can open the same form view and see the buttons because he belongs to that security group.

However, the crucial point here is that the approval button gets rendered on the webpage for the normal employee as well !! It is simply hidden with CSS styling. We can right click the header bar, remove the oe_form_invisible tag for the "Approve" button and display it !

But, even though we can display it, if we click on the Approve button as a normal employee, nothing will happen and the workflow does not get triggered. Therefore, system integrity is maintained. I had developed a separate module with an approval process, but there, the approval button works for normal employees and is a massive security hole. My own module does not use a workflow however. Could someone please explain how to prevent this from happening in my module?